Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (245431 => 245432)
--- trunk/Source/_javascript_Core/ChangeLog 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-05-17 02:21:51 UTC (rev 245432)
@@ -1,3 +1,39 @@
+2019-05-16 Keith Miller <[email protected]>
+
+ Wasm should cage the memory base pointers in structs
+ https://bugs.webkit.org/show_bug.cgi?id=197620
+
+ Reviewed by Saam Barati.
+
+ Currently, we use cageConditionally; this only matters for API
+ users since the web content process cannot disable primitive
+ gigacage. This patch also adds a set helper for union/intersection
+ of RegisterSets.
+
+ * assembler/CPU.h:
+ (JSC::isARM64E):
+ * jit/RegisterSet.h:
+ (JSC::RegisterSet::set):
+ * wasm/WasmAirIRGenerator.cpp:
+ (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
+ (JSC::Wasm::AirIRGenerator::addCallIndirect):
+ * wasm/WasmB3IRGenerator.cpp:
+ (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+ (JSC::Wasm::B3IRGenerator::addCallIndirect):
+ * wasm/WasmBinding.cpp:
+ (JSC::Wasm::wasmToWasm):
+ * wasm/WasmInstance.h:
+ (JSC::Wasm::Instance::cachedMemory const):
+ (JSC::Wasm::Instance::updateCachedMemory):
+ * wasm/WasmMemory.cpp:
+ (JSC::Wasm::Memory::grow):
+ * wasm/WasmMemory.h:
+ (JSC::Wasm::Memory::memory const):
+ * wasm/js/JSToWasm.cpp:
+ (JSC::Wasm::createJSToWasmWrapper):
+ * wasm/js/WebAssemblyFunction.cpp:
+ (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+
2019-05-16 David Kilzer <[email protected]>
REGRESSION (r15133): Fix leak of JSStringRef in minidom
Modified: trunk/Source/_javascript_Core/assembler/CPU.h (245431 => 245432)
--- trunk/Source/_javascript_Core/assembler/CPU.h 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/_javascript_Core/assembler/CPU.h 2019-05-17 02:21:51 UTC (rev 245432)
@@ -56,6 +56,15 @@
#endif
}
+constexpr bool isARM64E()
+{
+#if CPU(ARM64E)
+ return true;
+#else
+ return false;
+#endif
+}
+
constexpr bool isX86()
{
#if CPU(X86_64) || CPU(X86)
Modified: trunk/Source/_javascript_Core/jit/RegisterSet.h (245431 => 245432)
--- trunk/Source/_javascript_Core/jit/RegisterSet.h 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/_javascript_Core/jit/RegisterSet.h 2019-05-17 02:21:51 UTC (rev 245432)
@@ -84,7 +84,9 @@
set(regs.tagGPR(), value);
set(regs.payloadGPR(), value);
}
-
+
+ void set(const RegisterSet& other, bool value = true) { value ? merge(other) : exclude(other); }
+
void clear(Reg reg)
{
ASSERT(!!reg);
Modified: trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp (245431 => 245432)
--- trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2019-05-17 02:21:51 UTC (rev 245432)
@@ -40,6 +40,7 @@
#include "B3Procedure.h"
#include "B3ProcedureInlines.h"
#include "BinarySwitch.h"
+#include "DisallowMacroScratchRegisterUsage.h"
#include "ScratchRegisterAllocator.h"
#include "VirtualRegister.h"
#include "WasmCallingConvention.h"
@@ -822,6 +823,8 @@
RegisterSet clobbers;
clobbers.set(pinnedRegs->baseMemoryPointer);
clobbers.set(pinnedRegs->sizeRegister);
+ if (!isARM64())
+ clobbers.set(RegisterSet::macroScratchRegisters());
auto* patchpoint = addPatchpoint(B3::Void);
B3::Effects effects = B3::Effects::none();
@@ -829,13 +832,18 @@
effects.reads = B3::HeapRange::top();
patchpoint->effects = effects;
patchpoint->clobber(clobbers);
+ patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
+ RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64());
+ AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64());
+ GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
+ GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister;
+
jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister);
- jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), pinnedRegs->baseMemoryPointer);
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs->sizeRegister, pinnedRegs->baseMemoryPointer);
-#endif
+ jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
+
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
});
emitPatchpoint(block, patchpoint, Tmp(), instance);
@@ -1844,6 +1852,8 @@
// FIXME: We shouldn't have to do this: https://bugs.webkit.org/show_bug.cgi?id=172181
patchpoint->clobber(PinnedRegisterInfo::get().toSave(MemoryMode::BoundsChecking));
patchpoint->clobber(RegisterSet::macroScratchRegisters());
+ patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
+
patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
AllowMacroScratchRegisterUsage allowScratch(jit);
GPRReg newContextInstance = params[0].gpr();
@@ -1857,11 +1867,12 @@
// FIXME: We should support more than one memory size register
// see: https://bugs.webkit.org/show_bug.cgi?id=162952
ASSERT(pinnedRegs.sizeRegister != newContextInstance);
+ GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.sizeRegister;
+
jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory);
-#endif
+
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
});
emitPatchpoint(doContextSwitch, patchpoint, Tmp(), newContextInstance, instanceValue());
Modified: trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (245431 => 245432)
--- trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2019-05-17 02:21:51 UTC (rev 245432)
@@ -47,6 +47,7 @@
#include "B3VariableValue.h"
#include "B3WasmAddressValue.h"
#include "B3WasmBoundsCheckValue.h"
+#include "DisallowMacroScratchRegisterUsage.h"
#include "JSCInlines.h"
#include "ScratchRegisterAllocator.h"
#include "VirtualRegister.h"
@@ -468,6 +469,8 @@
RegisterSet clobbers;
clobbers.set(pinnedRegs->baseMemoryPointer);
clobbers.set(pinnedRegs->sizeRegister);
+ if (!isARM64())
+ clobbers.set(RegisterSet::macroScratchRegisters());
B3::PatchpointValue* patchpoint = block->appendNew<B3::PatchpointValue>(proc, B3::Void, origin());
Effects effects = Effects::none();
@@ -475,16 +478,19 @@
effects.reads = B3::HeapRange::top();
patchpoint->effects = effects;
patchpoint->clobber(clobbers);
+ patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
patchpoint->append(instance, ValueRep::SomeRegister);
-
patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
+ RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64());
+ AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64());
GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
+ GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister;
+
jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister);
jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs->sizeRegister, baseMemory);
-#endif
+
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
});
}
}
@@ -1272,6 +1278,8 @@
patchpoint->clobber(RegisterSet::macroScratchRegisters());
patchpoint->append(newContextInstance, ValueRep::SomeRegister);
patchpoint->append(instanceValue(), ValueRep::SomeRegister);
+ patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
+
patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
AllowMacroScratchRegisterUsage allowScratch(jit);
GPRReg newContextInstance = params[0].gpr();
@@ -1286,11 +1294,12 @@
// FIXME: We should support more than one memory size register
// see: https://bugs.webkit.org/show_bug.cgi?id=162952
ASSERT(pinnedRegs.sizeRegister != newContextInstance);
+ GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.sizeRegister;
+
jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory);
-#endif
+
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
});
doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation);
Modified: trunk/Source/_javascript_Core/wasm/WasmBinding.cpp (245431 => 245432)
--- trunk/Source/_javascript_Core/wasm/WasmBinding.cpp 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/_javascript_Core/wasm/WasmBinding.cpp 2019-05-17 02:21:51 UTC (rev 245432)
@@ -45,7 +45,7 @@
const PinnedRegisterInfo& pinnedRegs = PinnedRegisterInfo::get();
JIT jit;
- GPRReg scratch = GPRInfo::nonPreservedNonArgumentGPR0;
+ GPRReg scratch = wasmCallingConventionAir().prologueScratch(0);
GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
ASSERT(baseMemory != scratch);
ASSERT(pinnedRegs.sizeRegister != baseMemory);
@@ -65,12 +65,14 @@
// FIXME the following code assumes that all Wasm::Instance have the same pinned registers. https://bugs.webkit.org/show_bug.cgi?id=162952
// Set up the callee's baseMemory register as well as the memory size registers.
- jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
- jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*).
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory);
-#endif
+ {
+ GPRReg scratchOrSize = isARM64E() ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1);
+ jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
+ jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*).
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
+ }
+
// Tail call into the callee WebAssembly function.
jit.loadPtr(scratch, scratch);
jit.jump(scratch, WasmEntryPtrTag);
Modified: trunk/Source/_javascript_Core/wasm/WasmInstance.h (245431 => 245432)
--- trunk/Source/_javascript_Core/wasm/WasmInstance.h 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/_javascript_Core/wasm/WasmInstance.h 2019-05-17 02:21:51 UTC (rev 245432)
@@ -64,7 +64,7 @@
Memory* memory() { return m_memory.get(); }
Table* table() { return m_table.get(); }
- void* cachedMemory() const { return m_cachedMemory.get(cachedMemorySize()); }
+ void* cachedMemory() const { return m_cachedMemory.getMayBeNull(cachedMemorySize()); }
size_t cachedMemorySize() const { return m_cachedMemorySize; }
void setMemory(Ref<Memory>&& memory)
@@ -76,7 +76,7 @@
void updateCachedMemory()
{
if (m_memory != nullptr) {
- m_cachedMemory = TaggedArrayStoragePtr<void>(memory()->memory(), memory()->size());
+ m_cachedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>(memory()->memory(), memory()->size());
m_cachedMemorySize = memory()->size();
}
}
@@ -143,7 +143,7 @@
}
void* m_owner { nullptr }; // In a JS embedding, this is a JSWebAssemblyInstance*.
Context* m_context { nullptr };
- TaggedArrayStoragePtr<void> m_cachedMemory;
+ CagedPtr<Gigacage::Primitive, void, tagCagedPtr> m_cachedMemory;
size_t m_cachedMemorySize { 0 };
Ref<Module> m_module;
RefPtr<CodeBlock> m_codeBlock;
Modified: trunk/Source/_javascript_Core/wasm/WasmMemory.cpp (245431 => 245432)
--- trunk/Source/_javascript_Core/wasm/WasmMemory.cpp 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/_javascript_Core/wasm/WasmMemory.cpp 2019-05-17 02:21:51 UTC (rev 245432)
@@ -423,7 +423,7 @@
memcpy(newMemory, memory(), m_size);
if (m_memory)
Gigacage::freeVirtualPages(Gigacage::Primitive, memory(), m_size);
- m_memory = TaggedArrayStoragePtr<void>(newMemory, desiredSize);
+ m_memory = CagedMemory(newMemory, desiredSize);
m_mappedCapacity = desiredSize;
m_size = desiredSize;
ASSERT(memory() == newMemory);
@@ -439,7 +439,7 @@
dataLog("mprotect failed: ", strerror(errno), "\n");
RELEASE_ASSERT_NOT_REACHED();
}
- m_memory.resize(m_size, desiredSize);
+ m_memory.recage(m_size, desiredSize);
m_size = desiredSize;
return success();
}
Modified: trunk/Source/_javascript_Core/wasm/WasmMemory.h (245431 => 245432)
--- trunk/Source/_javascript_Core/wasm/WasmMemory.h 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/_javascript_Core/wasm/WasmMemory.h 2019-05-17 02:21:51 UTC (rev 245432)
@@ -30,11 +30,11 @@
#include "WasmMemoryMode.h"
#include "WasmPageCount.h"
+#include <wtf/CagedPtr.h>
#include <wtf/Expected.h>
#include <wtf/Function.h>
#include <wtf/RefCounted.h>
#include <wtf/RefPtr.h>
-#include <wtf/TaggedArrayStoragePtr.h>
#include <wtf/Vector.h>
#include <wtf/WeakPtr.h>
@@ -69,7 +69,7 @@
static size_t fastMappedBytes(); // Includes redzone.
static bool addressIsInActiveFastMemory(void*);
- void* memory() const { ASSERT(m_memory.get(size()) == m_memory.getUnsafe()); return m_memory.get(size()); }
+ void* memory() const { ASSERT(m_memory.getMayBeNull(size()) == m_memory.getUnsafe()); return m_memory.getMayBeNull(size()); }
size_t size() const { return m_size; }
PageCount sizeInPages() const { return PageCount::fromBytes(m_size); }
@@ -97,7 +97,8 @@
Memory(void* memory, PageCount initial, PageCount maximum, size_t mappedCapacity, MemoryMode, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback);
Memory(PageCount initial, PageCount maximum, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback);
- TaggedArrayStoragePtr<void> m_memory;
+ using CagedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>;
+ CagedMemory m_memory;
size_t m_size { 0 };
PageCount m_initial;
PageCount m_maximum;
Modified: trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp (245431 => 245432)
--- trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp 2019-05-17 02:21:51 UTC (rev 245432)
@@ -210,28 +210,23 @@
if (!!info.memory) {
GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
+ GPRReg scratchOrSize = wasmCallingConventionAir().prologueScratch(0);
if (Context::useFastTLS())
jit.loadWasmContextInstance(baseMemory);
GPRReg currentInstanceGPR = Context::useFastTLS() ? baseMemory : wasmContextInstanceGPR;
- if (mode != MemoryMode::Signaling) {
- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory);
-#endif
+ if (isARM64E()) {
+ if (mode != Wasm::MemoryMode::Signaling)
+ scratchOrSize = pinnedRegs.sizeRegister;
+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratchOrSize);
} else {
-#if CPU(ARM64E)
- GPRReg scratch = wasmCallingConventionAir().prologueScratch(0);
+ if (mode != Wasm::MemoryMode::Signaling)
+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
+ }
- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratch);
- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
- jit.untagArrayPtr(scratch, baseMemory);
-#else
- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-#endif
- }
+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
}
CCallHelpers::Call call = jit.threadSafePatchableNearCall();
Modified: trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp (245431 => 245432)
--- trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp 2019-05-17 02:21:51 UTC (rev 245432)
@@ -395,22 +395,20 @@
if (!!moduleInformation.memory) {
GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
+ GPRReg scratchOrSize = scratch2GPR;
+ auto mode = instance()->memoryMode();
- if (instance()->memoryMode() != Wasm::MemoryMode::Signaling) {
- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory);
-#endif
+ if (isARM64E()) {
+ if (mode != Wasm::MemoryMode::Signaling)
+ scratchOrSize = pinnedRegs.sizeRegister;
+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratchOrSize);
} else {
-#if CPU(ARM64E)
- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratch2GPR);
- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
- jit.untagArrayPtr(scratch2GPR, baseMemory);
-#else
- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-#endif
+ if (mode != Wasm::MemoryMode::Signaling)
+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
}
+
+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
}
// We use this callee to indicate how to unwind past these types of frames:
Modified: trunk/Source/WTF/ChangeLog (245431 => 245432)
--- trunk/Source/WTF/ChangeLog 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/WTF/ChangeLog 2019-05-17 02:21:51 UTC (rev 245432)
@@ -1,3 +1,16 @@
+2019-05-16 Keith Miller <[email protected]>
+
+ Wasm should cage the memory base pointers in structs
+ https://bugs.webkit.org/show_bug.cgi?id=197620
+
+ Reviewed by Saam Barati.
+
+ Rename reauthenticate to recage.
+
+ * wtf/CagedPtr.h:
+ (WTF::CagedPtr::recage):
+ (WTF::CagedPtr::reauthenticate): Deleted.
+
2019-05-16 Alex Christensen <[email protected]>
Add a unit test for client certificate authentication
Modified: trunk/Source/WTF/wtf/CagedPtr.h (245431 => 245432)
--- trunk/Source/WTF/wtf/CagedPtr.h 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/WTF/wtf/CagedPtr.h 2019-05-17 02:21:51 UTC (rev 245432)
@@ -78,7 +78,7 @@
typename std::enable_if<!std::is_same<void, U>::value, T>::type&
/* T& */ at(unsigned index, unsigned size) const { return get(size)[index]; }
- void reauthenticate(unsigned oldSize, unsigned newSize)
+ void recage(unsigned oldSize, unsigned newSize)
{
auto ptr = get(oldSize);
ASSERT(ptr == getUnsafe());
Modified: trunk/Source/bmalloc/ChangeLog (245431 => 245432)
--- trunk/Source/bmalloc/ChangeLog 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/bmalloc/ChangeLog 2019-05-17 02:21:51 UTC (rev 245432)
@@ -1,3 +1,15 @@
+2019-05-16 Keith Miller <[email protected]>
+
+ Wasm should cage the memory base pointers in structs
+ https://bugs.webkit.org/show_bug.cgi?id=197620
+
+ Reviewed by Saam Barati.
+
+ Fix signature to take Gigacage::Kind, which matches GIGACAGE_ENABLED build.
+
+ * bmalloc/Gigacage.h:
+ (Gigacage::isEnabled):
+
2019-05-08 Keith Miller <[email protected]>
Remove Gigacage from arm64 and use PAC for arm64e instead
Modified: trunk/Source/bmalloc/bmalloc/Gigacage.h (245431 => 245432)
--- trunk/Source/bmalloc/bmalloc/Gigacage.h 2019-05-17 01:49:50 UTC (rev 245431)
+++ trunk/Source/bmalloc/bmalloc/Gigacage.h 2019-05-17 02:21:51 UTC (rev 245432)
@@ -226,7 +226,7 @@
BINLINE void ensureGigacage() { }
BINLINE bool wasEnabled() { return false; }
BINLINE bool isCaged(Kind, const void*) { return true; }
-BINLINE bool isEnabled() { return false; }
+BINLINE bool isEnabled(Kind) { return false; }
template<typename T> BINLINE T* caged(Kind, T* ptr) { return ptr; }
template<typename T> BINLINE T* cagedMayBeNull(Kind, T* ptr) { return ptr; }
BINLINE void disableDisablingPrimitiveGigacageIfShouldBeEnabled() { }
